Detecting networks attacks

ABSTRACT

Described is a technique for detecting attacks on a data communications network having a plurality of addresses for assignment to data processing systems in the network. The technique involves identifying data traffic on the network originating at any assigned address and addressed to any unassigned address. Any data traffic so identified is inspected for data indicative of an attack. On detection of data indicative of an attack, an alert signal is generated.

TECHNICAL FIELD

The present invention generally relates to detecting network attacks andparticularly relates to methods, apparatus, and computer programelements for detecting attacks on a data communications network

BACKGROUND OF THE INVENTION

The Internet is a wide area data communications network formed from aplurality of interconnected data networks. In operation, the Internetfacilitates data communications between a range of remotely situateddata processing systems. Such data processing systems each typicallycomprise a central processing unit (CPU), a memory subsystem, andinput/output (I/O) subsystem, and computer program code stored in thememory subsystem for execution by the CPU. Typically, end user dataprocessing systems connected to the Internet are referred to as clientdata processing systems or simply clients. Similarly, data processingsystems hosting web sites and services for access by end users via theInternet are referred to as server data processing systems or simplyservers. There is a client-server relationship completed via theInternet between the end user data processing systems and the hostingdata processing systems.

The Internet has become an important communications network forfacilitating electronically effected commercial interactions betweenconsumers, retailers, and service providers. Access to the Internet istypically provided to such entities via an Internet Service Provider(ISP). Each ISP typically operates an open network to which clientssubscribe. Each client is provided with a unique Internet Protocol (IP)address on the network. Similarly, each server on the network isprovided with a unique IP address. The network operated by the ISP isconnected to the Internet via a dedicated data processing system usuallyreferred to as a router. In operation, the router directs inboundcommunication traffic from the Internet to specified IP addresses on thenetwork. Similarly, the router directs outbound communication trafficfrom the network in the direction of specified IP addresses on theInternet.

A problem faced by many ISPs is the increasing frequency of electronicattacks to the networks they operate. Such attacks include computervirus attacks and so-called “worm” attacks. Attacks of this natureintroduce significant performance degradation in networks operated byISPs. Infected systems connected to the network typically attempt tospread the infection within the network. Many users do not recognizethat their systems are infected. It would be desirable to providetechnology for triggering disinfection of such systems in the interestsof increasing network performance.

SUMMARY OF THE INVENTION

In accordance with the present invention, there is now provided a methodfor detecting attacks on a data communications network having aplurality of addresses for assignment to data processing systems in thenetwork, the method comprising: identifying data traffic on the networkoriginating at any assigned address and addressed to any unassignedaddress; inspecting any data traffic so identified for data indicativeof an attack; and, on detection of data indicative of an attack,generating an alert signal.

The term “unassigned” herein is meant as covering an address that is notassigned to a physical device other than an apparatus for detecting anintrusion or generating an attack signature. The apparatus that isdesigned to execute the method according to the invention will be thedevice those “unassigned” addresses are actually assigned to in order tomake use of the invention. Those addresses are insofar unassigned asthey are not assigned to any device that does have another functionalityapart from signature generation or intrusion detection. Thereby datatraffic that is addressed to such an unassigned address will be receivedby that apparatus and subjected to the claimed method.

The inspecting preferably comprises spoofing replies to requestscontained in the data traffic identified. A preferred embodiment of thepresent invention comprises, on generation of the alert signal,rerouting any data traffic originating at the address assigned to thedata processing system originating the data indicative of the attack toa disinfection address on the network. On generation of the alertsignal, an alert message may be sent to the disinfection address. Thealert message may comprise data indicative of the attack detected. Onreceipt of the alert message, a warning message may be sent from thedisinfection address to the address assigned to the data processingsystem originating the data indicative of the attack. The warningmessage may include program code for eliminating the attack whenexecuted by the data processing system originating the data indicativeof the attack.

Viewing the present invention from another aspect, there is now providedapparatus for detecting attacks on a data communications network havinga plurality of addresses for assignment to data processing systems inthe network, the apparatus comprising: an intrusion detection sensor(IDS) for identifying data traffic on the network originating at anyassigned address and addressed to any unassigned address, inspecting anydata traffic so identified for data indicative of an attack, and, ondetection of data indicative of an attack, generating an alert signal.

The IDS in use preferably inspects the data traffic identified throughspoofing replies to requests contained in the data traffic identified.The apparatus may also comprise a router connected to the intrusiondetection sensor for rerouting, in response to generation of the alertsignal, any data traffic originating at the address assigned to the dataprocessing system originating the data indicative of the attack to adisinfection address on the network. Preferably, the IDS, on generationof the alert signal, sends an alert message to the disinfection address.The alert message preferably comprises data indicative of the attackdetected. A preferred embodiment of the present invention furthercomprises a disinfection server assigned to the disinfection address,the disinfection server sending, on receipt of the alert message, awarning message to the address assigned to the data processing systemoriginating the data indicative of the attack.

The present invention also extends to a data communications networkcomprising: a plurality of addresses for assignment to data processingsystems in the network; and, apparatus for detecting attacks on thenetwork as herein before described.

The present invention further extends to a computer program elementcomprising computer program code means which, when loaded in a processorof a data processing system, configures the processor to perform amethod for detecting attacks on a data communications network as hereinbefore described.

In a preferred embodiment of the present invention, there is provided adata communications network comprising: a router for connecting aplurality of data processing systems to the Internet; an IDS connectedto the router; and a disinfection server also connected to the router.In response to the IDS detecting that one of the data processing systemsis infected by an attack, the IDS instructs the router to deflect allnetwork traffic from that attack to the disinfection server. The IDSsimultaneously supplies disinfection data to the disinfection server.The disinfection data is indicative of: the nature of the infection; howto disinfect the infecting system; and how to resume normal networkconnectivity.

There are generally a large number of free IP addresses on a givennetwork. In a particularly preferred embodiment of the presentinvention, the IDS listens on the network for traffic directed towardthe free IP addresses. No such traffic should exist. In the event that arequest sent to one of the free IP addresses is detected, the IDS spoofsan answer to the request. The free IP addresses are not in use. Thus,any attempt to contact, for example, a server at such an address is apriori suspicious. The IDS then listens for a reply to the spoofedanswer. If the IDS detects a diagnosable attack in the reply, it signalsthe router to divert all traffic from the infected system to thedisinfection server. Because, the IDS is interactively spoofingresponses to infected systems, it has an accurate view of each attack.Thus, false positives are minimized.

BRIEF DESCRIPTION OF THE FIGURES

Preferred embodiments of the present invention will now be described, byway of example only, with reference to the accompanying drawings, inwhich:

FIG. 1 is a block diagram of a data processing system;

FIG. 2 is a block diagram of a data processing network embodying thepresent invention;

FIG. 3 is a block diagram of an intrusion detection sensor embodying thepresent invention; and,

FIG. 4 is a flow diagram associated with the intrusion detection sensor.

DETAILED DESCRIPTION

Referring first to FIG. 1, a data processing system comprises a CPU 10,an I/O subsystem 20, and a memory subsystem 40, all interconnected by abus subsystem 30. The memory subsystem 40 may comprise random accessmemory (RAM), read only memory (ROM), and one or more data storagedevices such as hard disk drives, optical disk drives, and the like. TheI/O subsystem 20 may comprise: a display; a printer; a keyboard; apointing device such as a mouse, tracker ball, or the like; and one ormore network connections permitting communications between the dataprocessing system and one or more similar systems and/or peripheraldevices via a data communications network. The combination of suchsystems and devices interconnected by such a network may itself form adistributed data processing system. Such distributed systems may bethemselves interconnected by additional data communications networks.

In the memory subsystem 40 is stored data 60 and computer program code50 executable by the CPU 10. The program code 50 includes operatingsystem software 90 and application software 80. The operating systemsoftware 90, when executed by the CPU 10, provides a platform on whichthe application software 80 can be executed.

Referring now to FIG. 2, in a preferred embodiment of the presentinvention, there is provided a data communications network 100 having aplurality of addresses 110 for assignment to data processing systems inthe network. In a particularly preferred embodiment of the presentinvention, the network 100 is in the form of an Internet serviceinstallation having a plurality of assignable Internet Protocol (IP)addresses 110. The network 100 is connected to the Internet 120 via arouter 130. The router 130 may be implemented in form of a dataprocessing system as herein before described with reference to FIG. 1dedicated by appropriate programming to the task to route communicationtraffic in the form of data packets between the Internet 120 and thenetwork 100 based on IP address data specified in the data packets. Afirst group 140 of the IP addresses 110 on the network 100 are assignedto systems 150 belonging to users of the Internet service. Each system150 may be a data processing system as herein before described withreference to FIG. 1. A second group 160 of the IP addresses 110 on thenetwork 100 are free. More specifically, the second group 160 of IPaddresses 110 are not assigned to user systems 150. An intrusiondetection sensor (IDS) 170 is also connected to the network 100. The IDS170 is also connected to the router 130. Details of the IDS 170 will beprovided further below. The router 130 is connected to a disinfectionserver 180. The disinfection server 180 may be implemented by a dataprocessing system as herein before described with reference to FIG. 1.

With reference to FIG. 3, in a particularly preferred embodiment of thepresent invention, the IDS 170 comprises a data processing system asherein before described with reference to FIG. 1. The applicationsoftware 80 of the IDS 170 includes intrusion detection code 200. Thedata 60 stored in the memory subsystem 40 of the IDS 170 includes attackidentity data 210 and disinfection data 220. The data 60 also includes arecord of which of the IP addresses on the network 100 are free andbelong to the second group 160, and which of the IP of the IP addresses110 on the network 100 are assigned to data processing systems 150 andbelong to the first group 140. The record is updated each time anotherIP address is allocated or an existing IP address allocation is removed.The attack identity data 210 contains data indicative of signaturesidentifying known attacks. The disinfection data 220 contains dataindicative of: the nature of each attack; how to disinfect a systeminfected with each attack; and how to resume normal networkconnectivity. The attack identity data 210 and disinfection data 220 arecross referenced. The intrusion detection code 200, when executed by theCPU 10, configures the IDS 170 to operate in accordance with the flowdiagram shown in FIG. 4.

Referring now to FIG. 4, in operation, the IDS 170 identifies datatraffic on the network 100 originating at any assigned address 140 andaddressed to any unassigned address 160. The IDS 170 inspects any datatraffic so identified for data indicative of an attack. On detection ofdata indicative of attack, the IDS 170 generates an alert signal. In apreferred embodiment of the present invention, on generation of thealert signal, any data traffic originating at the address 140 assignedto the data processing system 150 originating the data indicative of theattack is rerouted to a disinfection address on the network 100. In aparticularly preferred embodiment of the present invention, the IDS 170listens on the network 100 for traffic directed toward the free IPaddresses 160. Specifically, at block 300, the IDS 170 examines requestssent from addresses 140 on the network 100 to determine, at block 310,if the request specifies one of the free IP addresses 160 as thedestination address. If the request does not specify one of the free IPaddresses 160, then, at block 320, the IDS 170 waits for the nextrequest to examine.

The identification may also be realized by assigning the unassignedaddresses to the IDS 170, such that any traffic directed at anunassigned address automatically arrives at the IDS 170.

If, however, the request specifies one of the free IP addresses 160,then, at block 330, the IDS 170 spoofs an answer to the request. Theanswer is sent to the source IP address on the network 100. The free IPaddresses 160 are not in use. Thus, any attempt to contact, for example,a system at such an address is a priori suspicious. At block 340, theIDS 170 listens for a reply to the spoofed answer. The IDS 170 may timeout if no reply is received within a predetermined period, in whichcase, at block 320, the IDS 170 waits for the next request to examine.If a reply is however received, then, at block 350, the IDS 170 comparesthe suspect request and reply with the attack identity data 210 storedin the memory subsystem 40. If, at block 350, the comparison fails toidentify an attack, then, at block 320, the IDS 170 waits for the nextrequest to examine. If, however, the comparison at block 350 detects adiagnosable attack in the reply, then the IDS 170 determines that thesource system 150 is infected. Accordingly, at block 360, the IDS 170generates the alert signal. The alert signal is sent to the router 130.The alert signal instructs the router 130 to divert all traffic from theinfected system 150 to the disinfection address. Referring back to FIG.1, in a particularly preferred embodiment of the present invention, adisinfection server 180 is located at the disinfection address.

In a preferred embodiment of the present invention, on generation of thealert signal, the IDS 170 sends an alert message to the disinfectionaddress. Preferably, the alert message comprises data indicative of theattack detected. Accordingly, in a particularly preferred embodiment ofthe present invention, the IDS 170 retrieves the disinfection data 220corresponding to the attack detected from the memory subsystem 40. Atblock 370, the IDS 170 sends the alert message containing retrieveddisinfection data to the disinfection address at which the disinfectionserver 180 resides. Then, at block 320, the IDS 170 waits for the nextrequest to examine. Each request, answer, and reply may be embodied inone or more packets of data traffic on the network 100. Accordingly, thesignature of each attack may span more than one packet.

In a preferred embodiment of the present invention, the disinfectiondata 220 sent to the disinfection server 180 contains data indicativeof: the nature of the attack detected; how to disinfect the system 150infected with the attack; and how to resume normal network connectivity.On receipt of the disinfection data 220 from the IDS 170, thedisinfection server 180 sets about curing the infected system 150 andrestoring the network 100. In another preferred embodiment of thepresent invention, the disinfection data 220 contains only dataindicative of the nature of the attack. The disinfection server thenselects, based the nature of the attack, one of a plurality ofpre-stored techniques for disinfecting the infected system 150 and/orrestoring the network 100 and executes the selected technique. Theattacks may take many different forms. Accordingly, the correspondingtechniques for disinfection and network restoration may vary widely fromone attack to the next.

In a preferred embodiment of the present invention, on receipt thedisinfection data, the disinfection server 180 sends a warning messageto the infected system 150. The warning message informs the user of theinfected system 150 that his or her system 150 is infected. The messagemay instruct the user to run anti-virus software pre-stored in theinfected system 150 to eliminate or otherwise isolate the infection.Alternatively, the message may contain disinfection program code foreliminating the attack from the infected system 150, together withinstructions to assist the user in executing the disinfection code onthe infected system 150. In another alternative, the message may directthe user to another web site, at which appropriate disinfection programcode is provided. In another preferred embodiment of the presentinvention, the message contains disinfection program code that, whenloaded into the infected system, executes automatically, thuseliminating or otherwise isolating the infection in a manner which istransparent to the user. Other disinfection schemes are possible.

In the embodiments of the present invention herein before described, thedisinfection server 180 is implemented in a single data processingsystem such as that herein before described with reference to FIG. 1.However, in other embodiments of the present invention, the disinfectionserver 180 may be implemented by multiple interconnected data processingsystems. Such data processing may be distributed or located together ina “farm”. Each data processing system in the disinfection server may bededicated to handling a different attack. The IDS 170 may also beimplemented by multiple integrated data processing systems.Alternatively, the IDS 170 and the disinfection server 180 may beintegrated in a single data processing system.

The traffic on the network 100 sent from the infected system 150 anddeflected by the router 130 to the disinfection server 180 may be loggedand/or discarded by the disinfection server 180. In the embodiments ofthe present invention herein before described, the IDS 170 sendsdisinfection data to the disinfection server 220. However, in otherembodiments of the present invention, once an infection is detected, theIDS 170 may simply instruct the router 130 to deflect traffic from theinfected system 150 to the disinfection server 180 without the IDS 170additionally supplying disinfection data 220 to the disinfection server180. The disinfection server 180 may then simply act as a repository fortraffic originating in the infected system 150, logging and/ordiscarding traffic it receives from the infected system 150. The loggingand discarding may be reported by the disinfection server 180 to anadministrator of the network 100. Such reports may be deliveredperiodically or in real time. The reporting may be performed via, forexample, an administration console. However, other reporting techniques,such as printed output for example, are possible. On receipt of suchreports, administrators can take actions appropriate for eliminating orotherwise containing the infection of the network 100.

In the embodiments of the present invention herein before described, theIDS 170, router 130, and disinfection server 180 are implemented by dataprocessing systems programmed with appropriate program code. However, itwill be appreciated that, in other embodiments of the present invention,one or more of the functions described herein as being implemented insoftware may be implemented at least partially in hardwired logiccircuitry.

It will also be appreciated that the attack detection methods describedherein may be implemented by the service provider responsible for thenetwork 100, or at least partially by a third party in the form of aservice to the service provider. Such a service may differentiate theservice offered by the service provider from the services provided by itcompetitors. Such differentiated services may be optionally supplied toend users of the network service provided in exchange for an additionalpremium.

The service of detecting attacks for networks used by an entity otherthan the service provider, may in a preferred embodiment comprisebilling for the service delivered. The charge to be billed may thereinbe determined in dependence of one or more of a number of factors thattypically are indicative of the complexity or workload experienced bythe service provider. Such factors indicative of volume andtime-consumption of the service provided may include the size of thenetwork, the number of unassigned addresses monitored, the number ofassigned addresses monitored, the volume of data traffic inspected, thenumber of attacks identified, the number of alerts generated, the volumeof rerouted data traffic. Factors identifying a level of increasedcomplexity can be the signature of the identified attack, the degree ofnetwork security achieved. Also factors identifying the value of theservice provided to the serviced entity may be used such as the turnoverof said entity, the field of business of said entity, or the like.

Of course, any combination of the previously mentioned factors ispossible, in particular being differently weighed to determine a finalcharge. The billing can be automated in that the charge is sent togetherwith one of the messages sent in the attack detection process. Thisadvantageously combines the use of the messaging for the attack-handlingpurpose together with its use for the billing purpose. The double use ofa message provides the technical advantage of reducing the traffic flowgenerated through the attack detection and billing process. At the sametime this method can be used to guarantee that the serviced entity isonly billed for exactly the service provided.

Another preferred solution for billing is offering the entity asubscription to the attack detection service that allows the servicedentity to profit from the attack detection process for a predeterminedtime, volume of traffic, number of systems or the like. The serviceprovider may offer his own disinfection server as a hosting unit to beused in combination with the network used by the serviced entity, but itis also possible that the disinfection server is held, maintained,hosted or leased by the serviced entity.

In a further preferred embodiment the service provider may utilize asynergistic effect by providing the attack detection service to severalentities, and sharing the resources, such as the router 130, intrusiondetection sensor 170 and disinfection server 180 among the severalservices. Thereby not only more efficient use of the employed resourcescan be obtained but also attack-related information between thedifferent networks can be shared and could be utilized to improve thedetection quality on the serviced networks. For instance the detectionof an attack on one network could lead to a quicker detection on anothernetwork since the process of determining an attack signature can beshortened or even eliminated. Also the disinfection mechanism can beshared between the serviced entities thereby reducing their effort andcosts related to updating and maintaining the disinfection mechanism.The technical advantage of sharing technical data that is derived fromthe handling of attacks to the network of one entity to improve theattack handling of another serviced entity will provide an incentive forentities to join a pool of several entities being serviced by the sameservice provider for intrusion detection. The billing model could in apreferred embodiment be adapted to incent the participation of entitiesin a group of entities sharing the detection resources and employing thesame service provider.

Herein the term “connect” is not limited to physical connections. It isfor exapmle intended to also encompass a general link that allows thesending or receiving of information. The connection can therein beindirect.

1. A method for detecting attacks on a data communications networkhaving a plurality of addresses for assignment to data processingsystems in the network, the method comprising: identifying data trafficon the network originating at any assigned address and addressed to anyunassigned address, said unassigned address is an address which is freeand not assigned to user systems; inspecting any data traffic soidentified for data indicative of an attack; and, on detection of dataindicative of an attack, generating an alert signal.
 2. A method asclaimed in claim 1, wherein the inspecting comprises spoofing replies torequests contained in the data traffic identified.
 3. A method asclaimed in claim 1, comprising, on generation of the alert signal,rerouting any data traffic originating at the address assigned to thedata processing system originating the data indicative of the attack toa disinfection address on the network.
 4. A method as claimed in claim1, comprising, on generation of the alert signal, sending an alertmessage to the disinfection address.
 5. A method as claimed in claim 5,wherein the alert message comprises data indicative of the attackdetected.
 6. A method as claimed in claim 5, comprising, on receipt ofthe alert message, sending a warning message from the disinfectionaddress to the address assigned to the data processing systemoriginating the data indicative of the attack.
 7. A method as claimed inclaim 6, comprising including in the warning message program code foreliminating the attack when executed by the data processing systemoriginating the data indicative of the attack.
 8. Apparatus fordetecting attacks on a data communications network having a plurality ofaddresses for assignment to data processing systems in the network, theapparatus comprising: an intrusion detection sensor for identifying datatraffic on the network originating at any assigned address and addressedto any unassigned address, said unassigned address is an address whichis free and not assigned to user systems inspecting any data traffic soidentified for data indicative of an attack, and, on detection of dataindicative of an attack, generating an alert signal.
 9. Apparatus asclaimed in claim 8, wherein the intrusion detection sensor in useinspects the data traffic identified by spoofing replies to requestscontained in the data traffic identified.
 10. Apparatus as claimed inclaim 8, further comprising a router connected to the intrusiondetection sensor for rerouting, in response to generation of the alertsignal, any data traffic originating at the address assigned to the dataprocessing system originating the data indicative of the attack to adisinfection address on the network.
 11. Apparatus as claimed in claim8, wherein the intrusion detection sensor, on generation of the alertsignal, sends an alert message to the disinfection address. 12.Apparatus as claimed in claim 11, wherein the alert message comprisesdata indicative of the attack detected.
 13. Apparatus as claimed inclaim 12, further comprising a disinfection server assigned to thedisinfection address, the disinfection server sending, on receipt of thealert message, a warning message to the address assigned to the dataprocessing system originating the data indicative of the attack. 14.Apparatus as claimed in claim 13, wherein the warning message comprisesprogram code for eliminating the attack when executed by the dataprocessing system originating the data indicative of the attack.
 15. Adata communications network comprising: a plurality of addresses forassignment to data processing systems in the network; and, apparatus fordetecting attacks on the network as claimed in claim
 8. 16. A computerprogram element comprising computer program code means which, whenloaded in a processor of a data processing system, configures theprocessor to perform a method for detecting attacks on a datacommunications network as claimed in claim
 1. 17. A method as claimed inclaim 1, further comprising supporting an entity in the handling of thedetected attack by one of providing instructions for use of, assistancein executing, and execution of disinfection program code.
 18. A methodas claimed in claim 1, further comprising providing a report to saidentity containing information related to one of alert, disinfection,rerouting, logging, discarding of data traffic in the context of adetected attack.
 19. A method as claimed in claim 1, further comprisingbilling said entity for the execution of at least one of the stepscontained in claim 1, the charge being billed preferably beingdetermined in dependence of one of the size of the network, the numberof unassigned addresses monitored, the number of assigned addressesmonitored, the volume of data traffic inspected, the number of attacksidentified, the number of alerts generated, the signature of theidentified attack, the volume of rerouted data traffic, the degree ofnetwork security achieved, the turnover of said entity.
 20. A method asclaimed in claim 1, further comprising providing said method for severalentities and using technical data derived from the attack-handling forone of said entities for the attack-handling for another of saidentities.
 21. A method for deploying an intrusion detection applicationfor an entity, comprising: connecting an intrusion detection sensor to anetwork used by said entity for identifying data traffic on the networkoriginating at any assigned address and addressed to any unassignedaddress, said unassigned address is an address which is free and notassigned to user systems, and for inspecting any data traffic soidentified for data indicative of an attack and for, on detection ofdata indicative of an attack, generating an alert signal, connecting arouter to said network for rerouting, in response to generation of thealert signal, any data traffic originating at the address assigned tothe data processing system originating the data indicative of the attackto a disinfection address on the network.
 22. A method according toclaim 21, further comprising connecting a disinfection server assignedto the disinfection address, to the network, the disinfection serverbeing adapted for sending, on receipt of the alert message, a warningmessage to the address assigned to the data processing systemoriginating the data indicative of the attack.
 23. A computer programproduct comprising a computer usable medium having computer readableprogram code means embodied therein for causing detection of attacks ona data communications network having a plurality of addresses forassignment to data processing systems in the network, the computerreadable program code means in said computer program product comprisingcomputer readable program code means for causing a computer to effectthe functions of claim
 1. 24. A computer program product comprising acomputer usable medium having computer readable program code meansembodied therein for causing deployment of an intrusion detectionapplication for an entity, the computer readable program code means insaid computer program product comprising computer readable program codemeans for causing a computer to effect the functions of claim 21.